HIPAA Compliance News

July 2023 Healthcare Data Breach Report

There was a 15.2% fall in reported data breaches in July with 56 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), which makes July an average month for data breaches. Over the past 12 months, 57 breaches have been reported each month on average; however, July was not an average month in terms of the number of compromised records.

There was a 261% month-over-month increase in breached records in July, with 18,116,982 records breached across the 56 reported incidents. The incredibly high total was due to a major data breach at HCA Healthcare that saw the records of 11,270,000 individuals compromised.

The figures this month bring the running breach total for 2023 up to 395 incidents, across which the records of 59,569,604 individuals have been exposed or stolen. The average breach size for 2023 is 150,809 records and the median breach size is 4,209 records. Over the past 12 months, more than 81.76 million records have been breached across 683 incidents.

Largest Healthcare Data Breaches Reported in July

HCA Healthcare is a Nashville, TN-based health system that operates 182 hospitals and around 2,300 sites of care. Hackers gained access to an external electronic storage facility that was used by a business associate for automating the formatting of email messages, such as reminders sent to patients about scheduling appointments. While the breach was one of the largest ever reported, the data stolen in the attack was limited. HCA Healthcare said the data compromised was limited to name, city, state, zip code, email, telephone number, date of birth, gender, service date, location, and, in some instances, the date of the next appointment.

The second largest breach, reported by the Centers for Medicare and Medicaid Services (CMS) as affecting 1,362,470 Medicare recipients, was more severe due to the types of data compromised. The breach occurred at a CMS contractor, Maximus Federal Services, Inc. (Maximus). Maximus was one of hundreds of organizations to fall victim to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software identified the vulnerability and issued a patch on May 31, 2023; however, the vulnerability had already been exploited by the Clop hacking group. The total number of victims of this breach has yet to be determined; however, Kon Briefing has been tracking the breach reports and reports that at least 734 organizations had the vulnerability exploited and between 42.7 million and 47.6 million records were stolen in the attack. Clop did not encrypt data, just stole files and issued ransom demands, payment of which was required to prevent the release or sale of the stolen data. In July, 26 breaches of 10,000 or more records were reported to OCR, 11 of which were due to the exploitation of the MOVEit vulnerability. All but two of the 26 breaches were due to hacking incidents.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident Hacking Incident – External, electronic storage facility used by a business associate
Centers for Medicare & Medicaid Services MD Health Plan 1,362,470 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (Maximus)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 1,313,636 Hacking/IT Incident Hacking incident – Ransomware attack
Pension Benefit Information, LLC MN Business Associate 1,209,825 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Allegheny County PA Healthcare Provider 689,686 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 398,319 Hacking/IT Incident Hacking incident
Johns Hopkins Medicine MD Healthcare Provider 310,405 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Harris County Hospital District d/b/a Harris Health System TX Healthcare Provider 224,703 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Precision Anesthesia Billing LLC FL Business Associate 209,200 Hacking/IT Incident Hacking incident – Ransomware attack
Fairfax Oral and Maxillofacial Surgery VA Healthcare Provider 208,194 Hacking/IT Incident Hacking incident
The Chattanooga Heart Institute TN Healthcare Provider 170,450 Hacking/IT Incident Hacking incident – Data theft confirmed
Phoenician Medical Center, Inc AZ Healthcare Provider 162,500 Hacking/IT Incident Hacking incident – Data theft confirmed
UT Southwestern Medical Center TX Healthcare Provider 98,437 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Hillsborough County, Florida (County Government) FL Healthcare Provider 70,636 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Family Vision of Anderson, P.A. SC Healthcare Provider 62,631 Hacking/IT Incident Hacking incident – Ransomware attack
Jefferson County Health Center IA Healthcare Provider 53,827 Hacking/IT Incident Hacking incident – Data theft confirmed (Karakurt threat group)
New England Life Care, Inc. ME Healthcare Provider 51,854 Hacking/IT Incident Hacking incident
Care N’ Care Insurance Company, Inc. TX Health Plan 33,032 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (TMG Health Inc)
Synergy Healthcare Services GA Business Associate 25,772 Hacking/IT Incident Hacking incident
Rite Aid Corporation PA Healthcare Provider 24,400 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Life Management Center of Northwest Florida, Inc. FL Healthcare Provider 19,107 Hacking/IT Incident Hacking incident
Saint Francis Health System OK Healthcare Provider 18,911 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Pennsylvania Department of Human Services PA Healthcare Provider 16,390 Unauthorized Access/Disclosure Hacking incident – Unauthorized access to a system test website
The Vitality Group, LLC IL Business Associate 15,569 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Wake Family Eye Care NC Healthcare Provider 14,264 Hacking/IT Incident Hacking incident – Ransomware attack
East Houston Med and Ped Clinic TX Healthcare Provider 10,000 Unauthorized Access/Disclosure Storage unit sold that contained boxes of patient records

Causes of July 2023 Data Breaches

Hacking incidents dominated the breach reports in July, with 49 incidents reported to OCR involving 18,083,328 records. The average breach size was 369,048 records and the median breach size was 9,383 records. The majority of these incidents were data theft and extortion incidents, where hackers gained access to networks, stole data, and issued ransom demands. Many hacking groups are now choosing not to encrypt files and are concentrating on data theft and extortion. When claiming responsibility for the MOVEit attacks, a spokesperson for the Clop group said they could have encrypted data but chose not to.

There were 7 unauthorized access/disclosure incidents reported involving the PHI of 33,654 individuals. The average breach size was 4,808 records and the median breach size was 1,541 records. Three of those incidents involved unauthorized access to paper records and three were email-related data breaches. There were no reported breaches involving the loss, theft, or impermissible disclosure of physical records or devices containing electronic PHI.

Where did the Data Breaches Occur?

The OCR breach portal lists data breaches by the reporting entity, although that is not necessarily where the data breach occurred. Business associates of HIPAA-covered entities may report their own breaches, they may be reported by the covered entity, or a combination of the two. For instance, Maximus reported its MOVEit Transfer breach as affecting 932 individuals, but many of its clients were affected and the total number of individuals affected was in the millions.

The raw data on the breach portal indicates 37 breaches at healthcare providers, 11 breaches at business associates, 7 at health plans, and one breach at a healthcare clearing house. The charts below are based on where the breach occurred, rather than the reporting entity.

Geographical Distribution of Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states. Texas was the worst affected state with 7 breaches, with Florida and California also badly affected.

State Breaches
Texas 7
Florida 6
California 5
Maryland, Pennsylvania & Tennessee 4
Arizona & North Carolina 3
Connecticut, Illinois & Minnesota 2
Georgia, Idaho, Indiana, Iowa, Kentucky, Maine, Michigan, New Jersey, New York, Ohio, Oklahoma, South Carolina, Virginia & Washington 1

HIPAA Enforcement Activity in July 2023

There were no enforcement actions announced by OCR or state attorneys general in July to resolve HIPAA violations.

The post July 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends

At 11.59 pm on August 9, 2023, the transition period for ensuring telehealth services are fully HIPAA-compliant came to an end. Healthcare providers must now ensure that their telehealth services are provided using platforms that are fully compliant with the HIPAA Rules.

The enforcement discretion policy was initiated for telehealth in response to the COVID-19 pandemic. OCR announced that it would not impose sanctions and penalties for HIPAA violations in connection with the good faith provision of telehealth services, provided non-public facing remote communications technologies were used for providing telehealth services. That meant that communications platforms that would not normally be permitted under HIPAA could be used for providing telehealth services, such as platforms provided by vendors who would not sign business associate agreements covering their products.

The enforcement discretion period was in effect for the duration of the COVID-19 Public Health Emergency (PHE); however, when the PHE came to an end, OCR announced there would be a 90-day transition period to give healthcare providers time to ensure their communication tools were made HIPAA-compliant or transition to an alternative communications tool that is fully compliant with the HIPAA Rules. Now that the enforcement discretion period and the transition period are over, healthcare providers must only use fully compliant communications tools for providing telehealth services or risk financial penalties.

OCR has published guidance to help healthcare providers provide audio-only telehealth services and ensure compliance with the HIPAA Rules. The guidance includes answers to commonly asked questions with respect to HIPAA and telehealth and can be viewed on the HHS website.

The post OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends appeared first on HIPAA Journal.

AHA, AMA, BCBSA Urge CMS Not to Adopt Proposed Standards for Healthcare Attachments

The HHS’ Centers for Medicare and Medicaid Services (CMS) is being urged not to implement the proposed standards for prior authorization attachments, as detailed in its December 2022 Notice of Proposed Rulemaking (NPR). In a letter to CMS Administrator, Chiquita Brooks-LaSure, the American Hospital Association (AHA), American Medical Association (AMA), and Blue Cross Blue Shield Association (BCBSA) applauded the CMS for its focus on reforming prior authorization to ensure timely access to care for patients while minimizing manual paperwork for all healthcare stakeholders, but expressed their concern that the proposed changes would likely cause widespread industry confusion, be enormously expensive, and would create the same costly burdens that the proposed standards seek to alleviate.

“First, major efforts are underway to automate PA-related data exchange leveraging Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) implementation guides,” explained the trade groups in the letter. “Secondly, and even more significantly, the Advancing Interoperability and Improving Prior Authorization NPRM (CMS-0057-P) would require federally regulated health plans to offer HL7 FHIR-based application programming interfaces to support electronic PA information exchange. In contrast, the attachments NPRM would require a combination of both X12 and HL7 standards and apply to all health plans under the Health Insurance Portability and Accountability Act (HIPAA) regulatory pathway.”

The NPRMs would create conflicting provisions and would establish two different sets of standards and workflows to complete the prior authorization process and federally regulated health plans would be required to crosswalk the two standards for no discernible benefit. That would directly counter the foundational principles of the original HIPAA administrative simplification regulations, which require the adoption of uniform electronic standards to support communication between providers and all health plans. As such, the AHA, AMA, and BCBSA strongly advise against the adoption of the standards for prior authorization attachments.

The post AHA, AMA, BCBSA Urge CMS Not to Adopt Proposed Standards for Healthcare Attachments appeared first on HIPAA Journal.

OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.

A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.

A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.

In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google

Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.

“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

The post OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies appeared first on HIPAA Journal.

June 2023 Healthcare Data Breach Report

The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows a 12% month-over-month reduction in the number of healthcare data breaches of 500 or more records. In June, HIPAA-regulated entities reported 66 breaches, and while this was an improvement on the 73 breaches reported in June 2022, the month’s total is still well above the 12-month average of 58 data breaches a month.

Healthcare Data Breaches Past 12 Months - June 2023

May was a particularly bad month for data breaches with more than 19 million individuals having their protected health information exposed or impermissibly disclosed, so while there was a 73.67% month-over-month reduction in breached records in June, the previous month’s total was unnaturally high. June’s total of 5,015,083 breached records was below the 12-month average of 6 million records a month and less than the 6,258,833 records breached in June 2022, but that is still more than 167,000 breached healthcare records a day – 17.6% more than the daily average in 2022.

Healthcare Records Breached in the past 12 months - June -2023

In H1 2023, 41,452,622 healthcare records were exposed or impermissibly disclosed. That’s just a few thousand records short of the total for all of 2019 and just 10 million below the total for all of 2022.

Largest Healthcare Data Breaches in June 2023

In June, 25 data breaches of 500 or more records were reported to OCR, all but two of which were hacking/IT incidents. The largest breach of the month by some distance was a ransomware attack and data theft incident at the biotech and diagnostics company, Enzo Clinical Labs (Enzo Biochem).  Murfreesboro Medical Clinic & SurgiCenter also suffered a major breach where sensitive data was stolen and a ransom demand was issued to prevent a data leak, as did Intellihartx. Intellihartx was one of several companies that had sensitive data stolen by the Cl0p ransomware group, which mass exploited a zero day vulnerability in Fortra’s GoAnywhere MFT file transfer solution in late January.

As the table below indicates, it is becoming increasingly common for HIPAA-regulated entities to only disclose limited information in their notification letters. Data breaches are often reported as “unauthorized individuals accessed the network and may have accessed or removed patient information,” even when data theft has been confirmed and the stolen data has been uploaded to the data leak sites of ransomware groups. The lack of information can make it difficult for victims of data breaches to assess the level of risk they face.

Healthcare Data Breaches of 10,000 or More Records

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident Ransomware attack
Murfreesboro Medical Clinic & SurgiCenter TN Healthcare Provider 559,000 Hacking/IT Incident Cyberattack (extortion)
Intellihartx, LLC TN Business Associate 489,830 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Advanced Medical Management, LLC MD Business Associate 319,485 Hacking/IT Incident Hacking of network designed/maintained by a business associate
Great Valley Cardiology PA Healthcare Provider 181,764 Hacking/IT Incident Cyberattack – Brute force attack involving data theft
Petaluma Health Center CA Healthcare Provider 124,862 Hacking/IT Incident Cyberattack – Details unknown
Imagine360 PA Business Associate 112,611 Unauthorized Access/Disclosure Cyberattack (extortion) – Fortra GoAnywhere MFT and Citrix file transfer solutions hacked
Kannact, Inc. OR Business Associate 103,547 Hacking/IT Incident Cyberattack (extortion) – Fortra GoAnywhere MFT Solution hacked
Activate Healthcare LLC IL Healthcare Provider 93,761 Hacking/IT Incident Cyberattack with data theft confirmed
Desert Physicians Management CA Business Associate 56,556 Hacking/IT Incident Cyberattack with data theft confirmed
ARx Patient Solutions KS Healthcare Provider 41166 Unauthorized Access/Disclosure Compromised email account
Orrick, Herrington & Sutcliffe LLP CA Business Associate 40,823 Hacking/IT Incident Cyberattack – Details unknown
Tidewater Diagnostic Imaging, Ltd. MA Healthcare Provider 40,195 Hacking/IT Incident Hacking Incident – Details unknown
Peachtree Orthopaedic Clinic, P.A. GA Healthcare Provider 34,691 Hacking/IT Incident Cyberattack (extortion) by Karakurt threat group
Atlanta Women’s Health Group, P.C. GA Healthcare Provider 33,839 Hacking/IT Incident Cyberattack – Details unknown
Maimonides Medical Center NY Healthcare Provider 33,000 Hacking/IT Incident Cyberattack – Details unknown
Elgon Information Systems MA Business Associate 31,248 Hacking/IT Incident Hacking Incident – Details unknown
Community Research Foundation CA Healthcare Provider 30,057 Hacking/IT Incident Hacking Incident – Details unknown
Mount Desert Island Hospital, Inc. ME Healthcare Provider 24,180 Hacking/IT Incident Cyberattack – Details unknown
Mercy Medical Center – Clinton, Inc. IA Healthcare Provider 20,865 Hacking/IT Incident Ransomware attack
Ascension Seton TX Healthcare Provider 17,191 Hacking/IT Incident Hacking incident at business associate (Vertex)
John N. Evans, DPM MI Healthcare Provider 15,585 Hacking/IT Incident Hacking Incident – Details unknown
New Horizons Medical, Inc MA Healthcare Provider 12,317 Hacking/IT Incident Hacking Incident – Details unknown
CareNet Medical Group, PC NY Healthcare Provider 10,059 Hacking/IT Incident Cyberattack with data theft confirmed
Core Performance Physicians, dba Vincera Core Physicians PA Healthcare Provider 10,000 Hacking/IT Incident Ransomware attack affecting four Vincera companies (25,000 affected in total)

Causes of June 2023 Healthcare Data Breaches

Hacking incidents once again dominated the breach reports, accounting for more than 77% of the month’s data breaches and more than 96% of the month’s breached records. The average breach size was 94,480 records and the median breach size was 5,973 records. 4,818,457 records were exposed or compromised in hacking incidents. There were 14 unauthorized access/disclosure incidents reported, which cover a range of different incidents including unauthorized medical record access, unsecured paper records, mismailing incidents, and misdirected emails. Across those incidents, 196,026 records were impermissibly accessed or disclosed. The average breach size was 14,002 records and the median breach size was 2,567 records. There was one incident involving the improper disposal of 600 paper records and no reported loss or theft incidents.

Causes of June 2023 healthcare data breaches

As the chart below shows the most common location of breached protected health information was network servers, with email accounts the second most common location of breached data.

location of breached information in June 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data from the OCR breach portal shows data breaches by reporting entity; however, that does not mean that is where the breach occurred. When data breaches occur at business associates, the business associate may report the breach, or the covered entities affected, or a combination of the two. The raw data shows 44 breaches at healthcare providers, 12 at business associates, and 10 at health plans.

The charts below are based on adjusted figures and show where the data breach occurred rather than the entity reporting the breach as this better reflects the number of data breaches that occurred at business associates of HIPAA-regulated entities.

June 2023 healthcare data breaches - covered entity type

Records breached at hipaa-regulated entities in June 2023

Geographical Distribution of Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 31 states in June 2023. Pennsylvania was the worst affected state, with 11 data breaches reported. The high total is partly due to 6 of the breaches relating to two incidents that were reported separately for each company affected. Even taking this into account, Pennsylvania was the worst affected state.

State Breaches
Pennsylvania 11
California 5
Massachusetts, New York & Texas 4
Arizona & Minnesota 3
Florida, Georgia, Maryland, Michigan, North Carolina, Ohio, Tennessee & Utah 2
Alabama, Delaware, Idaho, Illinois, Iowa, Indiana, Kansas, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, Oregon, South Carolina & Virginia 1

HIPAA Enforcement Activity in June 2023

The Office for Civil Rights announced three enforcement actions in June to resolve potential violations of the HIPAA Rules. Yakima Valley Memorial Hospital was investigated by OCR after a report was received about a HIPAA breach involving 23 security guards who had been accessing patient records without authorization. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. The case was settled and the hospital agreed to pay a $240,000 penalty.

Manasa Health Center was investigated after complaints were filed with OCR about impermissible disclosures of PHI in response to negative online reviews left by four patients. The case was settled with OCR and Manasa Health Center agreed to pay a $30,000 penalty. This was OCR’s third enforcement action in the past year to see a financial penalty for disclosures of PHI in response to negative patient reviews. No company likes to receive bad reviews and negative customer comments may be unjustified, but PHI must never be disclosed online in response to reviews.

iHealth Solutions, which does business as Advantum Health, was investigated over a relatively small data breach involving the exposure of the ePHI of 267 patients. Patient information was stored on a server that had not been properly secured, allowing protected health information to be accessed over the Internet. OCR determined that iHealth Solutions had failed to conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was settled and iHealth Solutions agreed to pay a $75,000 penalty.

OCR has now imposed 8 financial penalties on HIPAA-regulated entities so far this year to resolve alleged violations of the HIPAA Rules with the penalties totaling $1,976,500. OCR has already exceeded last year’s total of $1,124,640 in fines that were collected from HIPAA-regulated entities in 17 enforcement actions.

State attorneys general can also impose financial penalties for HIPAA violations, although the fines are often imposed for equivalent violations of state laws, as was the case in California in June. In 2019, Kaiser Permanente sent mailings to its plan members, but an error resulted in letters being sent to old addresses, resulting in an impermissible disclosure of members’ protected health information. While this was a HIPAA violation, California imposed a financial penalty for violations of the California Confidentiality of Medical Information Act (CMIA) – an impermissible disclosure of the personal information of up to 175,000 individuals and the negligent maintenance and/or disposal of medical information. The case was settled for $450,000.

The post June 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Criticized Over Proposed Reproductive Health Care HIPAA Privacy Rule Update

Lawmakers and state Attorneys General have written to the U.S. Department of Health and Human Services Secretary, Xavier Becerra, criticizing the proposed update to the HIPAA Privacy Rule that seeks to improve reproductive health information privacy.

Lawmakers Criticize HIPAA Privacy Rule Change for Not Going Far Enough to Protect Patient Privacy

In response to the proposed changes, Senators Ron Wyden (D-Ore.), Patty Murray (D-Wash.), and Rep. Sara Jacobs (D-CA) wrote to the HHS Secretary calling for the HHS to take further steps to protect the privacy of Americans, and not only apply the proposed changes to reproductive health information but all categories of protected health information (PHI).

The proposed HIPAA Privacy Rule changes, if enacted, will improve protections for certain categories of PHI but the lawmakers claim the changes do not go far enough and there is a need to expand the protections to cover all PHI and ensure it has the same protections as the contents of phone calls, emails, text messages, and geolocation data “to protect Americans from warrantless government surveillance.”

“Americans should be able to trust that the information they share in confidence with their doctors when seeking care will receive the highest protections under the law, regardless of the specific medical issue,” wrote the lawmakers. They explain that while the HIPAA Privacy Rule does not force healthcare professionals to testify about their patients’ medical conditions, under the current HIPAA regulations, medical records can be subpoenaed by law enforcement agencies who do not need to show probable cause of crime and there is no oversight from an independent judge. “The ability of law enforcement agencies to subpoena these records undermines patients’ legal protections, particularly in an era of digital health records, where every patient interaction is carefully documented.”

The lawmakers request the HHS update the proposed Privacy Rule change to require law enforcement agencies to obtain a warrant before forcing doctors, pharmacists, and other healthcare providers to turn over their patients’ records. Instead of the current text of the HIPAA Privacy Rule – 64.512(f)(1)(ii) – permitting law enforcement to obtain PHI with a subpoena, administrative request, or a court order, the Privacy Rule should prohibit such disclosures unless there is a search warrant, issued by a judge, upon a finding of probable cause of a crime.

Further, in cases when medical records are disclosed after a search warrant is served, law enforcement should be prohibited from disclosing the records to other law enforcement agencies, unless the disclosures are related to the investigation of the same alleged crime. They also call for the law to be updated to ensure that individuals are notified about any disclosure of their PHI to law enforcement agencies. The lawmakers claim such a change would be consistent with the protections afforded to other sensitive data under federal law and the Fourth Amendment to the Constitution.

The lawmakers believe that the proposed changes are not sufficient to prevent rogue state Attorneys General from attempting to obtain the private health records of Americans, including, but not limited to, the records of individuals seeking a legal abortion or medical assistance with gender transition. Such healthcare decisions need to be taken by each individual whereas certain state Attorneys General believe those decisions are everyone’s business.

The letter was signed by Sens. Bernard Sanders, Tammy Baldwin, Peter Welch, Tammy Duckworth, Sherrod Brown, Chris Van Hollen, Elizabeth Warren, Edward J. Markey, Martin Heinrich, Mazie K. Hirono, Alex Padilla, John Fetterman, Debbie Stabenow, Raphael Warnock, Maria Cantwell, Kirsten Gillibrand, Cory A. Booker, Pramila Jayapal, Ted W. Lieu, James P. McGovern, Madeleine Dean, and Delia C. Ramirez and Congress members, Barbera Lee, Anna G. Eshoo, Josh Gottheimer, Adam B. Schiff, Nikema Williams, Raúl M. Grijalva, Veronica Escobar, Eleanor Holmes Norton, Earl Blumenauer, Jasmine Crockett, Rashida Tlaib, Ro Khanna, Ilhan Omar, David J. Trone, Andrea Salinas, Henry C. Johnson Jr., Val Hoyle, Nydia M. Velázquez, Suzanne Bonamici, Zoe Lofgren, Mikie Sherill and Becca Balint.

19 State Attorneys General Claim Reproductive Health Information Privacy Rule Change is Unlawful

While some lawmakers feel the Biden Administration’s plans do not go far enough to protect the privacy of Americans, others are challenging the attempt to change the HIPAA Privacy Rule to prevent disclosures of reproductive health information to law enforcement and claim the proposed changes will prevent the enforcement of state laws and will hamper investigations of women who seek illegal abortions. Tennessee Attorney General, Jonathan Skemetti, said, “The HHS does not have authority to change the law in contradiction of the statute passed by Congress,” in a letter to the HHS Secretary challenging the proposed HIPAA Privacy Rule change. The letter was signed by 18 other state Attorneys General from Alabama, Alaska, Arkansas, Georgia, Idaho, Indiana, Kentucky, Louisiana, Missouri, Montana, Nebraska, North Dakota, Ohio, South Carolina, South Dakota, Texas, & Utah.

They argue that the decision of the Supreme Court to remove the Federal right to abortion and put the matter into the hands of individual states allowed states to introduce laws prohibiting or restricting abortions, but updating federal HIPAA law to prevent disclosures of reproductive health information would essentially make it difficult, if not impossible, to enforce state laws. States such as Tennessee that have introduced a ban on abortions for state residents would not be permitted to obtain information on state residents that travel out of state to circumvent state laws and have abortion procedures.

In the letter, Attorney General Skemetti claims the Biden Administration is pushing a false narrative that states are looking to treat pregnant women as criminals and punish healthcare professionals that provide lifesaving care. “Based on this lie, the Administration has sought to wrest control over abortion back from the people in defiance of the Constitution and Dobbs. The proposed rule here continues that effort,” said Skemetti, who claims the proposed HIPAA update is unlawful and does not serve any legitimate need, and “is a solution in search of a problem.”

The broad definition of “reproductive healthcare” in the proposed rule which includes information “related to reproductive organs, regardless of whether the health care is related to an individual’s pregnancy or whether the individual is of reproductive age,” means there is the potential for the proposed rule to interfere with the ability of state authorities to investigate child abuse cases and other serious crimes. Skemetti also expressed concern that the proposed rule would also obstruct state laws concerning experimental gender-transition procedures for minors and help to further the Biden Administration’s “radical transgender policy goals.”

Attorney General Skemetti points out that for more than 20 years the Federal HIPAA laws have helped to protect the privacy of Americans and ensure their health data remains private and confidential; however, HIPAA permits disclosure of health information to law enforcement and state authorities to protect public health, safety, and welfare, and the proposed change will prevent states from performing that important duty.  The Attorneys General have called for the proposed HHS rule change to be withdrawn as it is unlawful and exceeds the HHS’s statutory authority.

The post HHS Criticized Over Proposed Reproductive Health Care HIPAA Privacy Rule Update appeared first on HIPAA Journal.

HIPAA Compliance Guidelines

We have compiled these HIPAA Compliance Guidelines because HIPAA rules and regulations can be very confusing for healthcare professionals tasked with ensuring HIPAA compliance at their organization.

HIPAA Compliance Guidelines

Please use the form on this page to arrange to receive a free copy of the HIPAA Guidelines Checklist.

HIPAA Guidelines: Seven Elements For Effective Compliance

In 2011, HHS published “The Seven Fundamental Elements Of An Effective Compliance Program”. We have slightly amended it to be more relevant to HIPAA compliance in 2023. Here is a summary of the elements, which we outline in more detail below:

  1. Develop policies and procedures so that day-to-day activities comply with the Privacy Rule.
  2. Designate a Privacy Officer and a Security Officer.
  3. Implement effective training programs.
  4. Ensure channels of communication exist to report violations, and breaches.
  5. Monitor compliance at floor level so poor compliance practices can be nipped in the bud.
  6. Enforce sanctions policies fairly and equally.
  7. Respond promptly to identified or reported violations, and breaches.

You can also read more about the background and history of the Seven Elements here, although this is not necessary.

Next we go over each element in more detail

Element 1: Why Privacy Rule Policies and Procedures?

Although HIPAA compliance consists of complying with all relevant Administrative Simplification Regulations, implementing Security Rule and Breach Notification standards is generally an organizational process not connected with cultivating a culture of compliance. Additionally, the most common HIPAA violations are attributable to failures to comply with the Privacy Rule.

However, it is no longer sufficient to develop policies and procedures that only address permissible uses and disclosures, the minimum necessary standard, and patients’ rights. Covered Entities should ensure Privacy Rule policies and procedures include how to explain to patients what PHI is (and what it isn’t), how to verify an individual’s identity, and how to record requests for privacy protections.

Element 2: The Roles of HIPAA Compliance Officers

It is interesting that the HHS’ Office of Inspector General placed this “tip” in second place after the development of policies and procedures. This would imply the roles of HIPAA compliance officers are to train members of the workforce, monitor compliance, and enforce the organization’s sanctions policy. However, there is quite a lot more involved in being a compliance officer.

In most cases, the HIPAA Privacy Officer will be the point of contact for members of the public and members of the workforce that want to report privacy concerns. Security Officers are generally more responsible for conducting risk assessments, ensuring security solutions are configured properly, and training members of the workforce on how to use the solutions compliantly.

Element 3: What Makes an Effective Training Program?

The effectiveness of the training provided to members of the workforce can make the difference between ticking the box of compliance or cultivating a culture of compliance. To make Privacy Rule training effective, members of the workforce must understand what PHI is, why it has to be protected, and the consequences to patients, employers, and themselves of HIPAA violations.

Security Rule training must be even more focused on the consequences of taking shortcuts, circumnavigating safeguards, and failing to alert managers of a data breach for fear of “getting into trouble”. One way of achieving this is to ask members of the workforce to run personal online credentials through the HIBP database to illustrate the importance of unique, complex passwords.

Element 4: The Importance of Two-Way Communication

While policy making and training has to come from the top down, it is important that any channels of communication relating to HIPAA compliance are also bottom up – not only to raise compliance concerns or report HIPAA violations, but also to provide feedback on what works and what doesn’t on the ground floor, and what new challenges are facing frontline members of the workforce.

This is why it can be important – when resources allow – to have a compliance team consisting of team members that have worked in or have knowledge of how different departments operate. For example, a compliance team consisting solely of lawyers and IT managers may not appreciate the difficulty of protecting the privacy of PHI in front of a grieving family mourning a recent loss.

Element 5: How Most Poor Compliance Practices Develop

Most poor compliance practices result from well-meaning intentions – for example, to “get the job done” or provide a good service to a patient’s family. When minor violations are allowed to continue, poor compliance practices can develop into a culture of non-compliance. This is why it is important identify and address poor compliance practices at the earliest opportunity.

While it is important to have eyes on compliance at floor level, it is also important not to take eyes off compliance at higher levels. Busy managers and senior managers can also be guilty of taking shortcuts with compliance or ignoring non-compliant activities because they do not have the time to “sort it out” – when, in truth, the failure to take action is a failure of management.

Element 6: The Best Sanctions are Not Always Disciplinary

Sanctions policies can often be overwhelming documents threatening all manner of disciplinary actions for non-compliance from warnings to suspensions, to termination of contract and loss of license. Some even include the maximum federal penalties for violations of §1177 of the Social Security Act (up to ten years in prison and up to $250,000 in fines).

Although these sanctions may have to legally be included in a sanctions policy, making them the focus of attention is not necessarily the best way to cultivate a culture of compliance. The threat of additional training is often sufficient to create and maintain a compliant workforce – especially if whole teams have to attend refresher training due to the non-compliance of an individual!

Element 7: Responding Quickly is the Key to Compliance

One of the keys to cultivating a culture of compliance is to respond to queries, issues, complaints, reports of violations, and data breaches as quickly as possible. Responding quickly to any type of communication demonstrates a commitment to compliance and an eagerness to ensure – once a compliant workforce is achieved – the compliant state is maintained.

Responding to queries, issues, complaints, etc. would ordinarily be the responsibility of compliance officers (or teams), but this can lead to the compliance officers being overwhelmed. Consequently, it may be necessary for managers and senior managers to take some responsibility for monitoring compliance and responding to workforce or patient communications.

The post HIPAA Compliance Guidelines appeared first on HIPAA Journal.

HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle potential HIPAA violations with the HIPAA business associate, iHealth Solutions, LLC, for $75,000.

iHealth Solutions, doing business as Advantum Health, failed to secure one of its servers, which was accessed by an unauthorized individual who exfiltrated files that contained the electronic protected health information (ePHI) of 267 individuals. The HIPAA enforcement action shows that even relatively small data breaches can be investigated by OCR and result in a financial penalty. The last three penalties imposed by OCR to resolve HIPAA violations were all related to data breaches that affected fewer than 500 individuals.

Like many HIPAA-regulated entities that have been investigated by OCR after reporting data breaches, iHealth Solutions was discovered to have failed to comply with one of the most fundamental provisions of the HIPAA Rules – the risk analysis. All HIPAA-regulated entities must conduct an accurate, thorough, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. §164.502(a).

OCR was notified about the data breach on August 22, 2017, and was informed that the ePHI of 267 individuals had been exfiltrated from the unsecured server. The fine was imposed for the impermissible disclosure of ePHI and the risk analysis failure.

In addition to the financial penalty, iHealth Solutions has agreed to implement a corrective action plan which includes the requirement to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of iHealth’s ePHI, develop a risk management plan to address and mitigate all security risks identified in the risk analysis, develop a process to evaluate any environmental or operational changes that affect the security of iHealth ePHI, and develop, maintain, and revise, as necessary, written policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules. OCR will monitor iHealth Solutions for two years to ensure compliance with the HIPAA Rules.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

This is the 7th OCR enforcement action of 2023 to result in a financial penalty, and the third enforcement action to be announced by OCR this month. So far this year, OCR has fined HIPAA-regulated entities a total of $1,976,500 to resolve violations of the HIPAA Rules.  See HIPAA Violation Fines.

The post HIPAA Business Associate Fined $75,000 for Maintaining ePHI on an Unsecured Server appeared first on HIPAA Journal.

Senators Demand Answers on Amazon Clinic’s Uses of Customer Data

Two Democratic senators have demanded answers from Amazon about how it uses the data of customers of Amazon Clinic after an investigation by the Washington Post revealed individuals wishing to enroll in Amazon Clinic are required to sign away some of their privacy rights in order to use the service.

Amazon Clinic was launched in November 2022 and provides virtualized healthcare services. Amazon advertises the service as “a virtual healthcare storefront through which telehealth services are offered,” with those telehealth services provided by third-party healthcare providers. The Washington Post was contacted by a reader who requested an investigation of Amazon Clinic over the terms and conditions of its sign-up form. When enrolling for Amazon Clinic, users are required to provide consent to allow the use and disclosure of their protected health information. The form states that after providing consent Amazon will be authorized to have access to a complete patient file, may re-disclose information contained in that file and that the information disclosed will no longer be subject to the HIPAA Rules. While the terms are voluntary, individuals have no option of using Amazon Clinic if they do not agree to the terms and conditions.

Senators Peter Welch (D-VT) and Elizabeth Warren (D-MA) recently wrote to Amazon’s President and Chief Executive Officer, Andy Jassy, and expressed their concern that Amazon may be harvesting the health data of Amazon Clinic customers. The senators have demanded answers about how Amazon uses customers’ health data and whether Amazon is using the data collected from Amazon Clinic customers to sell them other Amazon products or services.

The form provided by Amazon Clinic is essentially a HIPAA Authorization, which is required by HIPAA-regulated entities before any disclosures of protected health information are possible that are not expressly permitted by the HIPAA Privacy Rule. The HIPAA Privacy Rule also prohibits conditioning care on signing an authorization to disclose patient information. The senators point out that the HIPAA authorization that Amazon Clinic customers are required to sign does not state how patient data will be used or shared. Essentially the signing of the authorization form gives Amazon full access to customers’ health data and allows the information to be used and redisclosed as Amazon sees fit. Amazon Clinic’s terms and conditions state that customer data is not used for any purposes that its customers have not consented to, yet no information is provided about why customer health data is collected and how that information will be used.

The senators explained that the Federal Trade Commission (FTC) recently fined telehealth provider GoodRx for failing to inform consumers that their health data was disclosed to third parties for advertising purposes, and in addition to paying a financial penalty, GoodRx has been prohibited from using manipulative methods – termed dark patterns – to obtain users’ consent to use and share their health information. “Amazon Clinic customers deserve to fully understand why Amazon is collecting their health care data and what the company is doing with it. Congress is also evaluating legislative efforts to protect health data in the context of emerging technologies,” wrote the senators.

The senators have asked Amazon to provide further information on its privacy practices by June 30, 2023, including a sample of the contract between Amazon and the third-party telehealth providers that have signed up with Amazon Clinic, a list of data elements collected from consumers that sign up for the service, a list of the data elements that are shared with other entities within Amazon Group, and a list of all uses of health data. Amazon was also asked whether any collected health data is used by its analytics and algorithms or for marketing, is sold to third parties, or is provided to federal, state, or local law enforcement authorities.

The post Senators Demand Answers on Amazon Clinic’s Uses of Customer Data appeared first on HIPAA Journal.